Krebs on Security

In-depth security news and investigation

Peek Inside a Professional Carding Shop

Over the past year, I’ve spent a great deal of time trolling a variety of underground stores that sell “dumps” — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs.

The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. Featuring the familiar golden arches and the bastardized logo, “i’m swipin’ it,” the site’s mascot is a gangstered-up Ronald McDonald pointing a handgun at the viewer.

Nevermind that this shop is violating a ridiculous number of McDonald’s trademarks in one fell swoop: It’s currently selling cards stolen from data breaches at main street stores in nearly every U.S. state.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

This was a major innovation that we saw prominently on display in the card shop that was principally responsible for selling cards stolen in the Target and Sally Beauty retail breaches: In those cases, buyers were offered the ability to search for cards by the city, state and ZIP of the Target and Sally Beauty stores from which those cards were stolen. Experienced carders (as buyers are called) know that banks will often flag transactions as suspicious if they take place outside of the legitimate cardholder’s regular geographic purchasing patterns, and so carders tend to favor cards stolen from consumers who live nearby.

The slideshow may make more sense if readers familiarize themselves with a few terms and phrases that show up in the text:

GLOSSARY OF TERMS:

Base: An arbitrary name that a dumps shop assigns to a unique batch of cards stolen from a particular compromised merchant or a mix of merchants. Most often, bases are named after the state or region of the compromised merchant. Base names allow dumps shop owners to have a consistent naming convention when adding freshly stolen cards from a specific breached merchant. In addition, base names allow happy customers to have an easy way to come back to the shop and request more of the same cards; conversely, buyers who have little success “cashing out” cards from a particular base have a frame of reference with which to warn other potential buyers away from a specific batch of cards (a la “brown acid“).

BINs: Short for “Bank Identification Number,” this is the first six digits of any debit or credit credit cards, and it uniquely identifies the financial institution that issued the card. BINs are the primary method that card shops use to index wares for sale, and all buyers have their favorite BINs with which they’ve found success in the past. There are tens of thousands of BINs in use today, and few people legitimately employed in the banking industry have comprehensive BIN lists (which most banks consider proprietary). For that, you typically need to turn to the professional card shops, which track BIN usage quite closely.

Checker: A form of buyer’s insurance, this is an automated, optional service that dumps shop customers can use after purchasing cards to validate whether the cards they just bought are still active. Most advanced shops, including this one, have “moneyback” guarantees in place that will automatically refund the purchase price for any cards found to be invalid shortly after the cards are bought (usually a window of a few minutes up to a few hours), provided the customer pays the extra fee (usually 10-20 cents per card) to use the shop’s own checking service.

Discounted cards sold in “packs” or at wholesale or bulk prices.

Dump: Refers to a string of data that is pulled (usually by malicious software that infects cash registers or point-of-sale devices inside compromised merchants) from the magnetic stripe on the back of cards. Buyers typically receive a text file that includes all of their dumps. Those individual dumps records — when encoded onto a new magnetic stripe on virtually anything the size of a credit card — can be used to purchase stolen merchandise in big box stores.

Packs: Large bundles of dumps (often from a variety of hacked merchants in a particular region) — sold at wholesale prices. As we can see from the screenshot above left, McDumpals sells dumps packs of more than 1,000 cards at a time. For example, in the screen shot above, the site is offering a pack of 1,245 cards stolen two months ago from stores in Massachusetts and Connecticut for the bargain price of USD $10,500.

First-hand base: A batch of cards stolen from a merchant breach in which the dumps shop proprietor himself played a key role. The multiple bases of some 40 million cards stolen in the Target breach and resold via rescator[dot]so is probably the biggest example I’ve seen of a first-hand base.

Reseller: Most dumps shops rely on multiple suppliers of stolen cards. Contrary to the conventional meaning of the word, these thieves are supplying cards that are not sold anywhere else; once a card is sold, it is removed from the marketplace, and any suppliers found to be double dipping are quickly banned from the dumps community. Rather, resellers are merely stealing the cards and then selling them to the dumps shop.

Valid rate: The dumps store’s best guess about the percentage of cards from a given base that will come back as valid versus canceled by the issuing bank. If a base is advertised at a 70 percent valid rate, customers can expect an average 3 out of every 10 cards they buy from that base to be worthless. Cards advertised at valid rates in excess of 90 percent typically demand the highest prices, and are a strong indicator of a breach that has only just been discovered by the breached merchant or some of the larger financial institutions. For more granular examples of how valid rates are closely tied to the price of stolen cards, see Fire Sale on Cards Stolen in Target Breach and Sally Beauty Hit By Credit Card Breach.

If the following slideshow is not visible, you may need to enable scripting on this page from knightlab.com, a Northwestern University joint initiative of Medill School of Journalism, Media, Integrated Marketing Communications and the Robert R. McCormick School of Engineering & Applied Science.

People often ask if I worry about shopping online. These days, I worry more about shopping in main street stores. McDumpals is just one dumps shop, and it adds many new bases each week. There are dozens of card shops just like this one in the underground (some more exclusive than others), all selling bases from unique, compromised merchants.

This entry was posted on Wednesday, June 4th, 2014 at 12:17 pm and is filed under A Little Sunshine, The Coming Storm.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.